API Agreements Explained
API agreements refer to a contract or other legal mechanism by which the provider of one application programming interface ("API") grants access to its programming interface to another party. These parties generally include providers of software and/or web-based applications and service providers that integrate such applications into their own software and/or web-based applications. Software developers and providers typically enter into API licensing agreements with other software developers and/or service providers in connection with completing a transaction, building a product offering or adding an additional feature or functionality to a product.
An API agreement is particularly important because it serves as the primary source of understanding the rights and obligations of each party . It generally will lay out the terms and conditions by which a provider of an API must be used by a third-party application provider. A clearly stated API agreement can protect the rights and interests of each party, including confidentiality, intellectual property and liability concerns among other interests. API license agreements are also important from the standpoint that, in some cases, they are made available to the public. Many public-facing API agreements contain clear and conspicuous restrictions, including restrictions on how the API can be used and a limiting of remedies for any claims arising out of the agreement. API agreements can also have an important practical impact on the manner in which a party interfaces with a third-party API, and it can serve as the foundation for future cooperation and interaction between the parties.
Essential Elements of API Agreements
API agreements vary based on the service provided but typically contain similar key components. Enumerating these key components provides guidance on identifying provisions in your current API agreement or developing an efficient API agreement in the future. Of course, consult your attorney to determine what is appropriate for your specific situation.
Access Rights
Generally, the access rights covers the scope of system resources that the parties agree to allow and promote to the end-users of the services. Access rights can be granted with permissions or limitations on such rights.
Permissions: API agreements often require consent prior to a party allowing its end-users access to the others’ API (and sometimes also to certain portions of the API). The other party may have the ability to approve or disapprove the proposed use of its API by the party’s end-users. Alternatively, if the parties agree that they will self-approve their respective uses of each other’s service, the API agreement often sets out the process for communicating changes in the parties’ uses of each other’s API.
Limitations: Many API agreements limit access rights by imposing certain terms and conditions about the use and access of the API. API agreements may restrict the API to only certain pre-approved end-users of a party (i.e., restricting the API to be used only by the end-users who are registered to the party’s ecosystem). API agreements sometimes restrict any resale or redistribution of the API. The terms and conditions, of course, vary based on the business needs of the parties.
Usage Limitations
Once a party is granted access to the API, it may be subject to restrictions on its use of the API. These restrictions can be in the form or limits on internal or external uses.
License
The API agreement often includes a license that grants the party the right to access and use the agreed-upon service. The type of license to use the service varies with the type of API being offered. For example, some API agreements grant a license only for a party to get API data and use the data internally but prohibit the party from publishing or redistributing the API data externally. Other API agreements can be less restrictive and allow for the party to get API data and publish the API data for third-party users of the API. As with all license agreements, be sure to review how broadly or narrowly the license is being granted.
Confidentiality
APIs can exchange sensitive data between the party’s systems, such as account numbers, customer information and credit card information. It is important that the API grant agreement include a requirement for parties to maintain the secrecy and confidentiality of the APIs as well as any data exchanged through the APIs so that these parties can protect each other’s confidential information.
Service Level Agreement (SLA)
API agreements often include service level commitments by the API provider. These can include security measures for the API, uptime guarantees, customer support hours, maintenance schedules and procedures for reporting issues with the API.
Types of API Licensing Arrangements
A variety of licensing models are available in API agreements, each with its own implications for developers and businesses. Here we discuss several common types. Open APIs are available to any developer who wants to incorporate the API into their application, often at no cost. Companies may choose to make some or all functions of their internal APIs public. In addition, the API ecosystem generates a vast number of open APIs not tied to any single internal API, many of which aggregate information from other open APIs (a widely cited example of this is Weather Underground which compiles weather data from various sources). Open APIs provide great benefit to the technical community, but at the same time they can be misused. For example, secret API endpoints can be exposed or secured endpoints can be accessed on unauthorised accounts, sometimes resulting in the theft of proprietary information such as usernames, passwords and other credentials. While such conduct does not appear to be occurring on a large scale, it is advisable for API owners to monitor usage of their APIs.
Proprietary APIs require that developers first obtain approval from the API owner before being granted access. Developers must execute a user agreement that governs their use of the API. In addition to a standard confidentiality provision, proprietary API licensing terms may contain other obligations, such as restrictions on the number of calls a developer makes to the API or the level of identifying information the developer must provide about itself and its clients. Proprietary APIs are generally used to mitigate security risks and to ensure proper quality control over the API. This type of licensing model is popular with companies seeking to limit their exposure.
Restrictive licensing models may be used to deny API access to certain developers, thereby limiting competition. For example, before granting access to the API, the company may require developers to agree to clauses in their user agreements that restrict competition. An example of this is the restraint of trade provisions imposed by Amazon on parties that use its API. As long as the restriction is appropriately drafted and supported by a legitimate business rationale, such restrictions will likely be enforceable in most jurisdictions.
Key Legal Considerations for API Agreements
API agreements can potentially lead to a variety of legal issues, which should be anticipated and minimized in order to protect the interests of all parties involved. In addition to anti-competitive issues (which are covered by this LawCast) and privacy issues (which are covered in another LawCast), the negotiation of API agreements can sometimes lead to the following legal issues:
Intellectual Property Ownership: In most cases, the service provider will want to own all rights to the software, including source code, content, trademarks, etc., while the customer will insist on being able to modify the software, use it however they want, and keep the modifications and new works they make based on it. Obviously there are too many options available to explore in-depth here, but one option that can work to some extent is to have a set of APIs with a license that allows customers to modify the software to fit their needs but only for their own internal use.
Limitation of Liability: In almost every API agreement, it is very rare to see an effective limitation of liability clause as the damages often increase dramatically when the potential inability to deliver a service that customers are dependent on is considered. This becomes even more problematic in the case of "per-incident" fees (a fee that applies each time the service is down , rather than a flat monthly fee) which can quickly increase to exceed any reasonably applied damages caps. With that in mind, a workaround is to "disaggregate" or separate the services offered into multiple services. For example, offering an API for automated stock trading and also an API for news or information feed means that "business interruption" damage to the news/supply chains can be capped while at least some damage is recoverable for business interruption/errors on the stock trading side of the service.
Data Privacy Issues: A big issue in many API agreements is protection of data privacy as the data that flows through an API may be incredibly sensitive. At a minimum, API agreements typically need to deal with the security of the data, limitation on retention of the data (if any), restrictions on use of the customer’s data by the service provider, and destruction of the customer’s data by the service provider upon termination of the agreement. Some of the more complex APIs (such as social media sites that capture so much information through user activity) may also require data "anonymization" or "pseudonymization" prior to transmission over the API.
Tips for Drafting API Agreements
When it comes to drafting API agreements, there are several best practices that can help ensure that the agreement is clear, effective, and meets the needs of both parties. Clarity is crucial when it comes to API agreements as they must be readily available, easily understood, and actionable. The document must not only address the technical aspects and parameters of the API’s operation, but also the business goals and priorities of the parties involved. In addition to expressing in explicit terms what each party is required to do and what they are prohibited from doing, an effective API license agreement ensures compliance with all applicable laws and regulations. This is particularly important when APIs use, store, and disclose personal and/or sensitive information which may require compliance with laws such as HIPAA, PCI DSS, or other federal or state laws, rules or regulations.
The Future of API Agreements
As technology continues to advance, APIs have developed as a critical building block in every digital business. Both startups and large enterprises are increasingly relying on APIs to facilitate all sorts of interactions, including customer experience, employee collaboration, internal processes and integration with other systems and applications. In relatively short order, APIs have become ubiquitous and essential to the way we use the internet. In 2023, Statista estimates that APIs generate USD 1.3 trillion in global economic value . Looking further forward, market research firm Business Research Insights estimates the size of the API market will grow from USD 1633 million in 2022 to USD 3785 million in 2032 – an annual growth rate of nearly 9 percent. As APIs have evolved, and as certain trends like API monetization grow, recent years have seen increased focus on the types of agreements required to adequately address API licensing and the related contractual needs of parties buying and selling APIs. As the use of APIs accelerates, and the parties involved in creating, selling and using APIs become more diverse – along with new API-related business models emerging – API agreements will continue to evolve.